Does HIPAA Protect Your Medical History? What’s Covered, What Isn’t, and Who Can Access It

The HIPAA Privacy Rule sets national standards for how your medical history is used and shared. It protects most identifiable health information in medical and insurance records, but it does not cover every situation or every app that holds health data. This guide explains what’s covered, what isn’t, and who can access your information.

Overview of the HIPAA Privacy Rule

The HIPAA Privacy Rule establishes when health information may be used or disclosed and grants you rights over your records. It applies to Protected Health Information (PHI) in any form—electronic, paper, or oral—held by covered entities and their business associates.

By default, PHI may be used or disclosed without your written permission for three core purposes: treatment, payment, and health care operations. For most other uses, organizations must obtain your signed disclosure authorization. The “minimum necessary” standard limits how much PHI is shared for non-treatment purposes.

HIPAA sets a floor, not a ceiling. If a state law is more protective of privacy, organizations generally must follow the stricter rule. Separate HIPAA security requirements protect electronic PHI from breaches, complementing the Privacy Rule’s use-and-disclosure limits.

Definitions of Protected Health Information

What counts as PHI

PHI is individually identifiable information that relates to your past, present, or future physical or mental health, the care you receive, or payment for that care. It includes obvious identifiers as well as less-obvious details that could identify you when combined with health data.

• Clinical data: diagnoses, lab results, imaging, medications, allergies, surgical and hospitalization history, care plans, psychotherapy diagnoses and treatment notes (not psychotherapy notes, which are treated differently).
• Administrative and financial data: billing records, claims, enrollment and eligibility information, prior authorizations, and payment history.
• Demographics and identifiers: name, address, contact details, device identifiers, photographs, and other elements that can identify you when linked to health information.

What is not PHI

• De-identified data, where all direct identifiers are removed and the risk of re-identification is very low.
• Employment records held by your employer (even if health-related), and education records covered by FERPA.
• Personal records you keep for yourself and certain consumer health or wellness apps that are not acting on behalf of a covered entity.
• Information about a person who has been deceased for more than 50 years.

Roles of Covered Entities

Covered entities

Three types of organizations qualify as covered entities under HIPAA:

• Health care providers who electronically transmit standard transactions (for example, claims or eligibility checks).
• Health plans, including insurers, HMOs, employer-sponsored group health plans, and government health programs.
• Health care clearinghouses that standardize nonstandard health information for billing and other transactions.

Business associates

Business associates are vendors or partners that create, receive, maintain, or transmit PHI on behalf of a covered entity. Examples include EHR and cloud providers, billing companies, data analytics firms, telehealth platforms, and certain consultants or attorneys.

They must sign a Business Associate Agreement that binds them to HIPAA safeguards and limits how they can use and disclose PHI. Business associates may access PHI only as needed to perform contracted services.

Who can access your medical history

Within a covered entity, only workforce members with a job-related need may access your PHI, and only the minimum necessary for non-treatment tasks. Business associates may access PHI strictly under their agreement. Others generally need your disclosure authorization unless a HIPAA exception applies.

Individual Rights Under HIPAA

Your right of access

You can inspect or receive copies of your records within 30 days of your request (with one allowable 30-day extension and written notice of the reason). You may request an electronic copy in a readily producible format or have it sent to a designated third party. Providers may charge only a reasonable, cost-based fee for copies.

Additional rights

• Request corrections (amendments) to inaccurate or incomplete information in your record.
• Request restrictions on certain disclosures; if you pay a provider in full out of pocket, you may require that information not be shared with your health plan for that service.
• Request confidential communications (for example, billing sent to a different address).
• Receive a Notice of Privacy Practices explaining how your information is used and your rights.
• Obtain an accounting of certain disclosures made without your authorization.

Authorized Disclosure Exceptions

Disclosures allowed without written authorization

• Treatment, payment, and health care operations.
• Public health activities, such as reporting certain diseases or adverse events.
• Health oversight, audits, and inspections.
• Judicial and law enforcement purposes, subject to specific limits.
• To avert a serious threat to health or safety.
• Organ and tissue donation and certain decedent-related disclosures.
• Workers’ compensation and other disclosures required by law.
• Research under defined safeguards, such as an IRB or privacy board waiver.

Psychotherapy Notes Exemption

Psychotherapy notes—personal notes recorded by a mental health professional analyzing a counseling session and kept separate from the medical record—receive special protection. They are generally excluded from your right of access and typically require a specific disclosure authorization for use or release, with narrow exceptions (such as to defend the clinician in a legal action). This exemption does not apply to general behavioral health information, diagnoses, medications, or billing records.

Protection of Family Medical History

Family medical history documented in your chart is part of your PHI and is protected. Clinicians may use or share it for your treatment and related operations. They may also discuss relevant information with family or friends involved in your care when you agree, are given an opportunity to object, or when you are incapacitated and it is in your best interests.

• Your relatives’ own medical records remain their PHI; a provider cannot disclose a relative’s PHI to you without that person’s authorization or other legal authority.
• Parents are usually personal representatives for minors, but state laws and specific situations (such as certain reproductive, mental health, or substance use services) can give minors control over related records.
• For decedents, HIPAA protections continue for 50 years; personal representatives may access the decedent’s PHI, and providers may share relevant information with family involved in the person’s care prior to death as permitted by HIPAA.
• Genetic information is treated as health information; health plans generally may not use genetic information for underwriting purposes.

Access Restrictions and Denial Conditions

Denial of Access Criteria

HIPAA permits limited denials of access. Some grounds are not subject to review; others require a licensed professional to review the decision on request.

Unreviewable denials

• Psychotherapy notes kept separate from the medical record.
• Information compiled in reasonable anticipation of, or for use in, a legal proceeding.

Denials subject to review

• Access is reasonably likely to endanger the life or physical safety of you or another person.
• The record contains information about another person and disclosure is reasonably likely to cause substantial harm to that person.
• A personal representative’s request is reasonably likely to cause substantial harm to you or another person.
• During certain research activities if you agreed in advance to suspend access until the study ends.
• When another applicable law specifically forbids release.

How denials and appeals work

• If access is denied, you must receive a timely, written explanation stating the basis, whether the denial is reviewable, and how to request a review.
• For reviewable denials, an independent licensed professional not involved in the original decision evaluates your request; the provider must abide by that determination.
• Providers cannot deny access because of unpaid bills or because the information might be upsetting; reasons must fit HIPAA’s criteria.

Bottom line: HIPAA strongly protects your medical history by defining PHI, limiting disclosures, and giving you clear rights to access and control information. Understanding covered entities, business associates, disclosure authorization rules, the psychotherapy notes exemption, and denial of access criteria helps you anticipate who can see your records and how to exercise your rights.

FAQs

What types of medical history are protected by HIPAA?

HIPAA protects Protected Health Information (PHI) in any form that can identify you and relates to your health, care, or payment. That includes clinical notes, diagnoses, lab results, imaging, medications, allergies, surgical history, billing and claims, and demographics linked to health information. De-identified data, employment records held by employers, and many consumer app records not acting for a covered entity are not PHI.

Who qualifies as a covered entity under HIPAA?

Covered entities are health care providers who transmit standard electronic transactions, health plans (insurers, HMOs, group health plans, government programs), and health care clearinghouses. Business associates are separate organizations that handle PHI for covered entities under a Business Associate Agreement.

Can family medical history be disclosed without consent?

Providers may share relevant information with family or friends involved in your care when you agree, when you have the chance to object and do not, or when you are incapacitated and sharing is in your best interests. Otherwise, disclosing PHI—including a relative’s PHI—to others generally requires a disclosure authorization or other legal authority.

When can access to medical records be denied?

Access can be denied for limited reasons. Unreviewable denials include psychotherapy notes and information prepared for legal proceedings. Reviewable denials include situations where disclosure is likely to endanger someone’s life or safety, would cause substantial harm to another person mentioned in the record, involves a personal representative where harm is likely, or when access is temporarily suspended during certain research you agreed to. Providers must explain the reason in writing and describe your review options.